When you visit a company or public building these days, on arrival you often receive the Wi‑Fi login data for the free guest access. In most cases, hotspots that offer guest access are securely separated from the company network and prevent any access to internal data.
So when it comes to wireless network security, we all know that a sufficient level of encryption and secure access controls are vital for stopping unauthorized persons from accessing the corporate network or the hotspot. The IEEE 802.1X security standard is commonly employed here, as its access control mechanisms are a guarantee of maximum security.
But when it comes to company networks, few people consider every Ethernet connection in the building to be an open door to the network. Unless, of course, this connection has been secured from unauthorized intruders.
So where does network security start, and where does it end? We could launch into a detailed discussion about various security aspects of modern network infrastructure and we wouldn’t come close to covering everything. The important thing is for the proper network components to be employed and configured appropriately to ensure maximum security for the users and the network itself.
The most basic network component, one which leads a rather obscure existence and is often neglected in planning, is the manageable network switch. The task it fulfills involves more than just receiving data and forwarding it to the correct destination.
Switches also play a crucial role in terms of security. They are the gatekeepers of any complex network. Only devices and clients that can authenticate at the switch are able to gain access to the internal network. The switches control secure access to the network by enforcing their security settings.
The Switch Security Standard
The IEEE 802.1X standard was developed to regulate these access rights. It lays down the groundwork for the actual authentication at the network. The basic requirements are the presence of a managed “intelligent” network switch and a RADIUS server for authentication.
In practice, the 802.1X standard gives system administrators a choice of different authentication types. The following outlines the four most common types of switch-secured access control with a brief explanation of how each one works, the advantages, and a concrete example.
The Four Ways to Secure Switching
1) Port-based IEEE 802.1X
This standard regulates the authentication of clients at the port of a switch by verifying certificates and/or access credentials against a RADIUS server. After a one-time successful authentication, the switch port remains permanently open for network access.
The advantage is that after successful authentication the port remains permanently open for network access.
As an example scenario, an access point is connected to the switch port and uses certificates and/or access credentials to authenticate at the RADIUS server and gain network access.
Once the access point has been authenticated, the corresponding switch port is opened and all of the WLAN devices associated with it (laptops, smartphones, tablets) are free to connect to the network.
2) Single IEEE 802.1X
By using the Single 802.1X function of a switch, an individual client authenticates at a switch port by validating certificates and/or access credentials at a RADIUS server.
The advantage of this is that the port is opened exclusively for the client which authenticated at the RADIUS server. Other clients at this port are denied access to the network without appropriate certificates and/or access credentials.
This would be the case if a computer connected to the switch port uses certificates and/or access credentials to authenticate for network access at the RADIUS server.
Once the computer has successfully authenticated, the RADIUS server regularly sends secret keys to re-authenticate the device.
This ensures that the only device that can access the network via this switch port has been authenticated already.
3) Multi IEEE 802.1X
The third option is the RADIUS server authentication of multiple clients through a single switch port.
Here, an unintelligent client acting as an interface can be used for RADIUS authentication of multiple clients at a single switch port.
This would be the case if, for example, an unmanaged switch is connected to a switch port of a managed switch that is configured for Multi IEEE 802.1X.
All computers that connect to the unmanaged switch can then authenticate for network access by using certificates and/or access credentials at the RADIUS server. All authentication requests from the computers are forwarded to the RADIUS server via a single switch port.
Once a computer has successfully authenticated, it receives secret keys from the RADIUS server for the re-authentication of connected devices. This ensures that only devices that have previously authenticated via this switch port gain access to the network.
4) MAC-based Authentication
A further method for authenticating clients on a switch port is to present a client’s MAC address to a RADIUS server.
The switch port is opened only for clients with their own specific MAC address; other clients are denied access to the network through that port. This is ideal for network authentication of unintelligent clients.
An example for this is a printer connected to the switch port, where the printer’s MAC address is used to authenticate at the RADIUS server for network access.
The switch port is configured exclusively for the MAC address of the printer, so other clients with a different MAC address cannot gain network access through that switch port.
A Switch is not just a Switch…
Whichever way you choose to control network access, ultimately it is the administrator’s choice. There is much less freedom of choice when it comes to selecting the switches themselves. Only intelligent managed switches provide the functions necessary for the monitoring and control of access while denying network access for unauthorized devices and persons. While the unmanaged switch is a good economical choice for small networks, in complex company networks it represents a vulnerability. So taking a closer look at the data sheets and specifications is a worthwhile exercise.